Yeah. I had put Root CA cert CA.crt in server keys directory and added agent cert to to keystore too.
Followed the exact instructions given in link above. I'm using just two machine setup. One server and one agent machine. Sandeep. On Mon, 13 Nov 2017 at 9:08 PM, Gonzalo Herreros <[email protected]> wrote: > Did you also put the ca.crt file on the server /var/lib/ambari-server/keys? > Also in the steps you don't mention adding all the certs to the server > keystore which is in the instructions > > I think it's much less error prone to let ambari create and assign the > certs it uses to communicate with agents (being careful to configure longer > life) > > > On 13 November 2017 at 14:54, Sandy <[email protected]> wrote: > > > We are trying to setup security in server agent communication using > > instructions provided in this > > > > https://community.hortonworks.com/articles/107092/configure- > > 2-way-ssl-between-ambari-server-and-amba.html > > > > Here are the things I've done: > > 1. Obtained Certificates from CA for both server and agent machines. > > 2. Placed them in corresponding directories in both server and agent. > > 3. When we try to manually verify authentication using following > command, > > two way ssl seems to be working (*openssl s_client -cert > > agent-hostname.crt -key **agent-hostname**.key > > -CAfile /var/lib/ambari-agent/keys/ca.crt -connect server-hostname:8441 > > -msg) Detailed logs below* > > 4. But ambari agent throws following error > > > > INFO 2017-11-13 14:36:43,411 NetUtil.py:70 - Connecting to > > https://server-hostname:8440/connection_info > > > > INFO 2017-11-13 14:36:43,426 security.py:55 - Server require two-way SSL > > authentication. Use it instead of one-way... > > > > INFO 2017-11-13 14:36:43,426 security.py:183 - Server certicate exists, > ok > > > > INFO 2017-11-13 14:36:43,426 security.py:191 - Agent key exists, ok > > > > INFO 2017-11-13 14:36:43,427 security.py:199 - Agent certificate exists, > ok > > > > INFO 2017-11-13 14:36:43,427 security.py:94 - SSL Connect being called.. > > connecting to the server > > > > ERROR 2017-11-13 14:36:43,432 security.py:81 - Two-way SSL authentication > > failed. Ensure that server and agent certificates were signed by the same > > CA and restart the agent. > > > > In order to receive a new agent certificate, remove existing certificate > > file from keys directory. As a workaround you can turn off two-way SSL > > authentication in server configuration(ambari.properties) > > > > Exiting.. > > > > ERROR 2017-11-13 14:36:43,432 Controller.py:226 - Unable to connect to: > > https://server-hostname:8441/agent/v1/register/agent-hostname > > > > Traceback (most recent call last): > > > > File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", > line > > 175, in registerWithServer > > > > ret = self.sendRequest(self.registerUrl, data) > > > > File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", > line > > 549, in sendRequest > > > > raise IOError('Request to {0} failed due to {1}'.format(url, str > > (exception))) > > > > IOError: Request to > > https://server-hostname:8441/agent/v1/register/agent-hostname failed due > > to > > [Errno 8] _ssl.c:492: EOF occurred in violation of protocol > > > > ERROR 2017-11-13 14:36:43,433 Controller.py:227 - Error:Request to > > https://server-hostname:8441/agent/v1/register/agent-hostname failed due > > to > > [Errno 8] _ssl.c:492: EOF occurred in violation of protocol > > > > WARNING 2017-11-13 14:36:43,433 Controller.py:228 - Sleeping for 11 > > seconds and then trying again > > > > > > *Can someone help ?* > > > > -bash-4.1$ *openssl s_client -cert agent-hostname.crt -key > > **agent-hostname**.key > > -CAfile /var/lib/ambari-agent/keys/ca.crt -connect server-hostname:8441 > > -msg * > > > > CONNECTED(00000003) > > > > >>> TLS 1.2 Handshake [length 00f2], ClientHello > > > > ... > > > > <<< TLS 1.2 Handshake [length 0051], ServerHello > > > > ... > > > > <<< TLS 1.2 Handshake [length 0524], Certificate > > > > ... > > > > verify return:1 > > > > <<< TLS 1.2 Handshake [length 0191], ServerKeyExchange > > > > ... > > > > <<< TLS 1.2 Handshake [length 00d2], CertificateRequest > > > > ... > > > > <<< TLS 1.2 Handshake [length 0004], ServerHelloDone > > > > 0e 00 00 00 > > > > >>> TLS 1.2 Handshake [length 0fe2], Certificate > > > > ... > > > > >>> TLS 1.2 Handshake [length 008a], ClientKeyExchange > > > > ... > > > > >>> TLS 1.2 Handshake [length 0108], CertificateVerify > > > > ... > > > > >>> TLS 1.2 ChangeCipherSpec [length 0001] > > > > 01 > > > > >>> TLS 1.2 Handshake [length 0010], Finished > > > > --- > > > > Certificate chain > > > > --- > > > > Server certificate > > > > -----BEGIN CERTIFICATE----- > > > > ... > > > > -----END CERTIFICATE----- > > > > ... > > > > --- > > > > Acceptable client certificate CA names > > > > --- > > > > SSL handshake has read 2017 bytes and written 4534 bytes > > > > --- > > > > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > > > > Server public key is 2048 bit > > > > Secure Renegotiation IS supported > > > > Compression: NONE > > > > Expansion: NONE > > > > SSL-Session: > > > > Protocol : TLSv1.2 > > > > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > > > > Session-ID: > > 5A09AF66C19A54A200221F9EFACC20642DBDCCE50099EE6836FDA0B4ECE33EF6 > > > > Session-ID-ctx: > > > > Master-Key: > > F4BD9CEA03E292AC4DC696B46E3CD1348BD954C300FAE6A07697507937B4 > > 22187B51FB0814B20CFBCAFD21A65B30BEBC > > > > > > Key-Arg : None > > > > Krb5 Principal: None > > > > PSK identity: None > > > > PSK identity hint: None > > > > Start Time: 1510584166 > > > > Timeout : 300 (sec) > > > > * Verify return code: 0 (ok) * > > > > --- > > > > -bash-4.1$ > > > > -- > > > > *Sandeep Kumar,* > > Mobile +91-9866507368 > > > > *“Happiness is not a destination, It is the journey”* > > > -- *Sandeep Kumar,* Mobile +91-9866507368 *“Happiness is not a destination, It is the journey”*
